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Problem: Prevent Software Vulnerabilities 


e Format String Attacks 
e SQL Injection 


e Cross Site Scripting, etc. 
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ee 
OpenSSL Security Bug 


e@ Heartbleed (April 7, 2014) 


e@ Code uses user provided buffer length without checking real 
buffer size 


e Vulnerability gives access to server's private key 


e@ Could be detected by static analysis 
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a 
Heartbleed in OpenSSL' 


2469 


1. byte_swapping: Performing a byte swapping operation on p implies that it came from an extemal source, and is therefore tainted 


3. Condition s->msg_callback , taking true branch 
if (s->msg_callback) 


s->msg_callback(@, s->version, TLS1_RT_HEARTBEAT, 
&s->s3->rrec.data[@], s->s3->rrec. length, 
S, S->msg_callback_arg); 


4. Condition hbtype == 1, taking true branch 
if (hbtype == TLS1_HB REQUEST) 


{ 
unsigned char *buffer, *bp; 
int r; 


/* Allocate memory for the response, size is 1 bytes 
* message type, plus 2 bytes payload Length, plus 
* payload, plus padding 
iA 

buffer = OPENSSL_malloc(1 + 2 + payload + padding); 

bp = buffer; 


/* Enter response type, Length and copy payload */ 
*bp++ = TLS1_HB_RESPONSE; 
s2n(payload, bp); 


@ CID 1201699 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR) 
5. tainted_data: Passing tainted variable payload to a tainted sink. 


memcpy(bp, pl, payload); 


"Image from Andy Chou’s blog at Coverity 
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2. var_assign_var: Assigning: payload = ((unsigned int)p[@] << 8) | (unsigned int)p[1] . Both are now tainted 
n2s(p, payload); 
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Taint Analysis 


e Tracks usage of untrusted program input 
e Untrusted program input: Tainted Input 


e Taint source: tainted input origin (e.g. system call return 
values) 


@ Taint sink: use of tainted input 
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Taint Analysis: taint propagation 


e Taint propagation: operations depending on tainted input 
generate tainted values 


e Explicit taint propagation: data flow 


e Implicit taint propagation: control flow 
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Example 


int main() { 
int x, bi, b2,. y3 
scanf("%d”, &x); 
bl even (x); _ a 
b2 = odd (3); Taint Information 
y = compute(x); 
return 0; 


} + Line 3: x is tainted 


CIDANRWNH 


‘oils ; 
oe + Line 13: sum is tainted 


11 int sum, i; 

12 if (x == 2) 

13 scanf("%d”" , &sum); 

14 else 

15 sum = 0; 

16 for(i = 0; i < x; +4 i) 
7: sum += i; 

18 return sum; 

19 |} 


21 |int odd(int x) { 
22| if (x == 1) 


23 return 0; 

24 else 

25 return even(x — 1); 
26 |} 


28 |int even(int x) { 
29 if (x == 0) 


30 return 1; 

31 else 

32 return odd(x — 1); 
33 |} 


+ Line 6: y may be tainted (needs interprocedural analysis) 
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Contributions 


e Algorithm to statically detect tainted values’ flow in C 
programs 


e@ Handling of interprocedural taint propagation 


e@ WAINT: Implementation of the algorithm in LLVM 
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Source/Sink Specification 


e@ Developer specify sources and sinks in configuration file 
e Analysis do not analyze sources and sinks 


e Analysis use annotations for sources: taint propagation 
(from configuration file) 
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ee 
WAINT Analysis 


e Summary table to store function parameters and return 
value taint information 


e Intraprocedural analysis: discovery of taint sources, initial 
values for summary table 


e Context-Sensitive analysis: interprocedural taint tracking 
using DSA alias analysis 


e@ Context-Insensitive analysis: use summary table information 
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WAINT Analysis (Flow) 


Summary Table 
Function parameters 
ieee aed L) # and return value 
results Taint information 
J ‘ LL 
ME: Read data 


HB : Read and write data 


ECE Graduate Research Seminar WAINT 11/21 


Intraprocedural Analysis 


Statement Type | C Code 
COPY p=9 
LOAD p= *q 
STORE *0 = q 
CALL call func 
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Intraprocedural Analysis: transfer functions 


e@ COPY [p = g]: taint p iff q is tainted 

@ LOAD [p = «q]: taint p iff tj = *q A t, is tainted 
@ STORE [xp = q]: taint t) = «p iff q is tainted 

@ CALL [call func(p)]: taint all tf) s.t t = *p 


o 
Oh 
i 
ri 
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es 
Example (2) 


int main() { 
int x, bi, 62, -y3 
scanf("%d”, &x); 
bl even (x); _ a 
b2 = odd (3); Taint Information 
y = compute(x); 
return 0; 


} + Line 3: x is tainted 


nou 
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‘oils ; 
oe + Line 13: sum is tainted 


11 int sum, i; 

12 if (x == 2) 

13 scanf("%d”" , &sum); 

14 else 

15 sum = 0; 

16 for(i = 0; i < x; +4 i) 
7: sum += i; 

18 return sum; 

19 |} 


21 |int odd(int x) { 
22| if (x == 1) 


23 return 0; 

24 else 

25 return even(x — 1); 
26 |} 


28 |int even(int x) { 
29 if (x == 0) 


30 return 1; 

31 else 

32 return odd(x — 1); 
33 |} 


+ Line 6: y may be tainted (needs interprocedural analysis) 
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Summary Table after Intraprodural Analysis 


Functions | Variables 
even x", ret 
odd x", ret! 
compute | x4, ret! 
main ret 
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Context-Sensitive Analysis 


e@ Same transfer functions as intraprocedural analysis except 
CALL 


e Use Data Structure Analysis (DSA): field- and 
context-sensitive alias analysis? 


e Analysis of a callee start with taint assumptions from the 
caller 


e Use summary table for procedure formals and return value 
initial taint information 


*from LLVM creator Chris Lattner 
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Context-Insensitive Analysis 


e Use functions’ return value taint information from 
summary table 


e In practice: useful after context-sensitive analysis 
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Example: WAINT 


int main() { 
int x, bl, b2, y3 
scanf("%d" , &x); 
bl = even(x); 
b2 = odd(3); 
y = compute(x); 
return 0; 


} 


int compute(int x) { 

int sum, i; 

if (x == 2) 
scanf("%d” , &sum); 

else 
sum = 

for(i = 
sum += i; 

return sum; 


int odd(int x) { 


if (x == 1) 
return 0; 
else 
return even(x — 1); 
} 
int even(int x) { 
if (x == 0) 
return 1; 
else 
return odd(x — 1); 
} 


Intraprocedural Analysis 


+ Line 3: x initially tainted 

+ Line 13: sum initially tainted 

+ Line 18: return value sum is tainted 
- compute() updates summary table 


Context-Sensitive Analysis 


+ Line 3: first parameter of even (x) is tainted 
+ Line 6: first parameter of compute (x) is tainted 


Context-Insensitive Analysis 


+ Line 6: y is tainted (from summary table) 
Intraprocedural analysis would not find this 


gag : Initial taint information 
mam: Existing taint information 
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Figure 1. Motivating Example 
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Current Implementation 


Program SLOC | Warnings Runtime 
Mongoose web server (4.1) | 4k 36 140s 
vic-input (2.1.2) 16k 0 6s 

Claws email client (3.9.3) 142k 219 11s 
Apache web server (2.4.7) | 144k n/a n/a (DSA crash) 
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ee 
TODOs/Future Work 


e Handling of arrays, structs 
e Handling of cycles (SCC) in call graph 
e Investigate crash of DSA while running Apache 


e Perform tests with other alias analysis 
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Conclusion 


e Hearbleed bug in OpenSSL shows importance of 
taint analysis 


e WAINT implements a context-sensitive taint 
analysis for C 


e Preliminary results scale well up to 150k lines of 
code 
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